In communication, a demand for confidentiality is an everlasting theme from ancient times to the future. In recent network society, the demand for confidentiality has been achieved with the development of cryptology. Cryptography may be classified into common-key cryptosystems and public-key cryptosystems. The security of the common-key cryptosystems is based on the fact that it is difficult to cryptanalyze ciphertext even when it is eavesdropped on, and the security of the public-key cryptosystems is based on the fact that it takes impractical time to cryptanalyze ciphertext even though cryptanalysis algorithm is known. However, there is a possibility that an effective cryptanalytic method may be found out in case of the common-key cryptosystems, and there is a possibility that a faster cryptanalysis algorithm than the currently known one may be found out in case of the public-key cryptosystems. In addition, when a quantum computer is realized, it is relatively easy to cryptanalyze ciphertext even using the existing algorithms for the public-key cryptosystems. Therefore, quantum cryptography has been interested recently.
Quantum cryptography is to ensure security according to physical law using quantum mechanical properties. The security of ordinary cryptography is based on the fact that a current computer does not have efficient capability to cryptanalyze eavesdropped ciphertext. On the other hand, quantum cryptography physically realizes security, and therefore, has no problem of being cryptanalyzed even if cryptanalysis or computers are improved (Non-Patent Document 1). However, quantum cryptography still has many problems because quantum mechanical states are necessarily used. Quantum mechanical states may easily change from an original state to another state through the interaction with environment (decoherence). Loss is inevitable in transmission channels such as optical fibers. The fact that a quantum state changes through loss means that quantum cryptography is applicable only to a limited transmission distance. A maximum transmission distance is, for example, about 100 km. When there is loss in transmission line, signals are usually amplified so as to compensate for the loss. However, the amplification causes decoherence for the original state, and therefore, the amplification is not allowed in quantum cryptography. In addition, quantum cryptography needs to use ultralow-power light. Furthermore, the present optical communication systems need to be reconstructed for operating quantum cryptography because of the limitation problems. As described above, there are many limitations in operating quantum cryptography.
A method that is called αη scheme was proposed to solve the above problems in quantum cryptography. The method uses multiple signal bases in phase space and neighboring bases are set within quantum fluctuation so as not to provide eavesdroppers with accurate information (Non-Patent Document 2). This scheme uses the quantum fluctuation to guarantee security, and therefore, when signal light intensity is too large, sufficient security cannot be obtained because the effect of the quantum fluctuation becomes negligible. Although this scheme uses light intensity larger than quantum cryptography, it requires sufficiently lower intensity than that in ordinary optical communication. However, practical communication systems require light intensity on the level of ordinary optical communication. For this requirement, a method of using antisqueezing was proposed (Patent Document 1). This method makes eavesdropping difficult using the multi-value bases and the antisqueezed (expanded) fluctuations. The antisqueezed fluctuations are sufficiently larger than the quantum fluctuation and may be referred to as classical fluctuations rather than the quantum mechanical one. This method was devised under the precondition that the method is applied to the general optical communication. Patent Document 2 discloses an example of methods satisfying the precondition, and the antisqueezed light generator is constructed by using only components for optical communication having long-term reliability.
So far, cryptographic communication has been described from the physics point of view. Meanwhile, when considering the security of communication from the information theoretic point of view, it has been known that the security does not depend on whether the signal light is quantum mechanical or classical (Non-Patent Document 3 and 4). In this sense, quantum cryptography is interpreted as one of methods according to the general information theory.
The method for realizing secure communication may be divided into several processes. One of the processes is privacy amplification. Non-Patent Document 5 discloses a method for generating a secret key through the privacy amplification.